Challenges

We are encouraging both mathematical cryptanalysis on the lightweight authenticated encryption scheme Spook and side-channel cryptanalysis against its protected implementations. Hunt the ghost. Deadlines and prizes are below. Contact us (team@spook.dev) if you beat som challenge(s).

Mathematical cryptanalysis 1

Organizers: S. Duval, G. Leander, G. Leurent, F.-X. Standaert, F. Wiemer.

We ran a first mathematical cryptanalysis challenge against Spook from October 1, 2019 to February 29, 2020. The best results were found by Patrick Derbez, Paul Huynh, Virginie Lallemand, Leo Perrin, Maria Naya Plasencia and Andre Schrottenloher. They found a rebound distinguisher for the full Shadow and an attack against the integrity of Spook reduced to steps 2 to 5 (so four steps out of six). Details here. Prices will be awarded at FSE 2020.

Mathematical cryptanalysis 2

Organizers: S. Duval, G. Leander, G. Leurent, F.-X. Standaert, F. Wiemer.

• Attacks against the tweakable block cipher Clyde (in the single key and fixed/random tweak setting): best distinguishing attack (complexity and novelty).
  • 6 rounds
  • 8 rounds
  • 10 rounds
  • 12 rounds
    
    
• Attacks against the permutation Shadow v2: best distinguishing attack (complexity and novelty).
  • 6 rounds
  • 8 rounds
  • 10 rounds
  • 12 rounds
    
    
• Attacks against the Spook v2 mode of operation: best attack against the confidentiality or integrity claims. Confidentiality claims are with nonce misuse-resilience. Integrity claims are with nonce misuse-resistance.
  • 2/2 rounds (Clyde/Shadow)
  • 4/4 rounds (Clyde/Shadow)
  • 6/6 rounds (Clyde/Shadow)
  • 8/8 rounds (Clyde/Shadow)
  • 10/10 rounds (Clyde/Shadow)
  • 12/12 rounds (Clyde/Shadow) - you do not get a prize for this
    
    
• Attacks against the integrity of the Spook v2 mode of operation in the unbounded leakage model. This setting is aimed to bridge the gap between mathematical and side-channel cryptanalyses and to improve the understanding of the ideal permutation model with (very) liberal leakages and when the permutation is gradually weakened. In encryption, the adversary can control the nonce and receives the ephemeral key B in full (and therefore all the other intermediate states). In decryption, he receives similar idealized leakages. We recall that the tag verification must be performed using the inverse of Clyde in order to maintain ciphertext integrity in the presence of such (unbounded) decryption leakages.
  • 12/2 rounds (Clyde/Shadow)
  • 12/4 rounds (Clyde/Shadow)
  • 12/6 rounds (Clyde/Shadow)
  • 12/8 rounds (Clyde/Shadow)
  • 12/10 rounds (Clyde/Shadow)
  • 12/12 rounds (Clyde/Shadow)
    
    
• Deadline: February 28, 2021.

Side-channel cryptanalysis

Organizers: D. Bellizia, O. Bronchain, G. Cassiers, C. Momin, F.-X. Standaert, B Udvarhelyi.

• The CHES 2020 Capture the Flag (CTF) is a side-channel cryptanalysis challenge against masked implementations of the Clyde-128 Tweakable Block Cipher (TBC) which is used in Spook (and has to be strongly protected against side-channel attacks if leveled implementations are considered). Different targets are proposed in parallel, both in software and in hardware, corresponding to masked implementations with various number of shares. Challengers are provided with the source code of the implementations (C in software and Verilog in hardware/FPGA), a tool to predict intermediate values of the hardware implementation, profiling sets of traces including the nonces, (random) keys, (random) plaintexts and the randomness used for masking, test sets of traces corresponding to a few fixed keys (without the masking randomness), and finally prototype attacks against a single byte of the secret key for exemplary targets. The goal of the challenge is to modify and improve the prototype attacks. The submitted attacks will be rated based on the number of measurements needed to reduce the rank of the master key below 2^32 using a rank estimation algorithm. All the attacks submitted will be made public to all challengers (under a GPLv3 license or alternatives).

  • Link to the challenge website

Prizes

• Belgian chocolate & beers. Since Clyde and Shadow are named after PacMan characters – Clyde for its (masked) random behavior, Shadow for its fast / to the point behavior – special prizes for the most impactful mathematical and side-channel cryptanalyses will follow this theme.